SEC564: Red Team Operations and Threat Emulation New

This course provides the foundation needed to manage and operate a Red Team and conduct Red Team engagements. What is Red Teaming? Red Teaming is the process of using tactics, techniques, and procedures (TTPs) to emulate a real-world threat with the goals of training and measuring the effectiveness of people, processes and technology used to defend an environment.

Red Teaming is built on the fundamentals of penetration testing, yet focuses on specific scenarios and goals used to evaluate and measure an organization's overall security defense posture. That posture includes people, processes, and technology. This course will explore Red Teaming concepts in depth to provide a clear understanding of what a Red Team is and its role in Security Testing.

Organizations spend a great deal of time and money on the security of their systems. Red Teaming uses a comprehensive approach to gain insight into an organization's overall security. Red Teams have a unique goal of testing an organization's ability to detect, respond to, and recover from an attack. When properly conducted, Red Team activities significantly improve an organization's security controls, help hone defensive capabilities, and measure the effectiveness of security operations.

The Red Team concept requires a different approach from a typical security test, and it relies heavily on well-defined tactics, techniques, and procedures (TTPs). These are critical if a Red Team is to successfully emulate a realistic threat or adversary. Red Team results exceed a typical list of penetration test vulnerabilities, provide a deeper understanding of how an organization would perform against an actual threat, and identify where security strengths and weaknesses exist.

Course Syllabus

SEC564.1: Planning and Management of Red Team Operations

Overview

Day 1 begins by introducing Red Team topics, concepts, and ideas. You will learn what Red Teaming is, how it is used, and how it compares to other security testing types such as vulnerability assessments and penetration tests. Several topics, concepts, and ideas that are specific to Red Teams, and which constitute the critical foundation of Red Teaming, are examined in order to provide a solid base of understanding.

Exercises

Setting up an Attack Platform

Decomposing a Threat

CPE/CMU Credits: 6

Topics

Red Teaming Definitions, Assumptions, and Expectations

Common Red Teaming Terms

Security Misconceptions and AssumptionsHistory and Origin

Red Teaming Introductions

How Red Teaming Compares to Other Security Tests

Red Team's Role in Blue Team Training

Live Assessment Example

Red Teaming Concepts

Red Team Roles and Responsibilities

Standard Attack Platform

Engagement Planning

Understanding and Controlling Tool Indicators

Threat Planning

Threat Perspective

Threat Emulation Scenarios

Red Team Goals

Social Engineering

Other Red Team Engagement Concepts

Handling Client Data

Engagement Frequency

How to Succeed

SEC564.2: Red Team Engagement Execution

Overview

Day 2 continues with engagement execution and a focus on Red Team tools and techniques. The day is filled with exercises that walk students through a mock Red Team engagement. Multiple Red Teaming phases are explored and concludes by impacting the target organization's supply chain. During the exercises, you manage and control indicators of compromise (IOCs), design custom command and control channels, and use unique command and control tools. You will also learn Red Teaming concepts needed to control and manage a Red Team. These include how to interface with clients, collect and log engagement artifacts, successfully execute an engagement, manage deconfliction, properly end an engagement, and deliver a professional report.

Exercises

Using Web Shells to Support C2

C2 Design and Customization - PowerShell Empire

Performing Operational Impact Against an ICS System

CPE/CMU Credits: 6

Topics

Red Team Engagement Execution

Data Collection

Tradecraft and TTPs

Execution Concepts

Tools and Techniques

Engagement Background

Engagement Culmination

Red Team Engagement Reporting

Additional Information

Laptop Required

To get the most value out of this course, students are required to bring their own laptop so that they can connect directly to the workshop network we will create. It is the students' responsibility to make sure the system is properly configured with all drivers necessary to connect to an Ethernet network.

VMware

The class does not support Virtual Box, VirtualPC, or other non-VMware virtualization products.

You will use VMware to run a Linux guest operating system to perform exercises in class. You must have either the free VMware Player 6 or later or the commercial VMware Workstation 10 or later installed on your system prior to coming to class. You can download VMware Player for free here.

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation. VMware will send you a time-limited license number for VMware Workstation if you register for the trial on their website. No license number is required for VMware Player.

If you plan to use a Macintosh, please make sure you bring VMware Fusion.

During the course exercises, you will be connecting to a hostile network. Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks during course exercises.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Who Should Attend

Security professionals interested in expanding their knowledge of Red Teaming

Prerequisites

The concepts and exercises in this course are built on the fundamentals of offensive security. An understanding of general penetration testing concepts is encouraged, and a background in security fundamentals will provide a solid base upon which to build Red Teaming concepts.

Many of the Red Teaming concepts taught in this course are suitable for anyone in the security community, and both highly technical staff as well as management personnel will be able to gain a deeper understanding of Red Teaming.

You Will Receive With This Course

A course USB with the SANS Slingshot Linux Penetration Testing Environment loaded with numerous tools used for all exercises

Details on Red Team use of common tools and their usage

A variety of sample documents used in planning, executing, and reporting Red Team engagements

This Course Will Prepare You To

Make the best use of a Red Team to understand and measure an organization's defenses. You will learn what Red Teaming is and how it differs from other security testing engagements. This course offers a unique view of the offensive security field of Red Teaming and the concepts, principles, and guidelines critical to a Red Team's success. It prepares you to design and create threat-specific goals to measure and train organizational defenders (CND/Blue Teams) and shows how a Red Team uses the "Get In, Stay In, and Act" methodology to achieve operational impacts.

Authors' Statement

"A great deal of time and money are spent on protecting critical digital assets. Many organizations focus their security testing on compliance or limited scope reviews of a system. These limited tests often leave an organization with a false sense of security. Organizations that open themselves to assessment not only of their technology, but also of their people and processes, can significantly improve their security posture and adjust a limited security budget to protect their most critical assets. Scenario-based testing and Red Team techniques can be used to determine how an organization really stands up to a realistic and determined threat."

- Joe Vest and James Tubberville

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.